Block/allow incoming IP only for SOME domains
in [Postfix]
|
From: Denis BUCHER on 23 Jul 2010 10:31 Dear all, Yesterday I succeeded into blocking some IP (or more exactly allowing only some) to connect to one of my server and send email via SMTP. Now for another server, I need something a little more complicated and I would be happy if someone could direct me to the right method. I would like to activate this functionality ONLY for some domains : * Some (recipient) domains should accept emails from any IP * Some other (recipient) domains should accept emails only from IP in the list This is my working config to allow emails only from some IP, for all domains : > 1. Added this in main.cf : > smtpd_client_restrictions = check_client_access cidr:/etc/postfix/access > > 2. Added this to /etc/postfix/access : > 216.82.240.0/20 OK > 213.213.213.213 REJECT > > 3. Command line : > postmap access > /etc/init.d/postfix reload How can I therefore decide for which domains this config is active and for which domains all incoming IP are accepted ? Thanks a lot in advance for any hint ! Denis
From: Brian Evans - Postfix List on 23 Jul 2010 10:49 On 7/23/2010 10:31 AM, Denis BUCHER wrote: > Dear all, > > Yesterday I succeeded into blocking some IP (or more exactly allowing > only some) to connect to one of my server and send email via SMTP. > > Now for another server, I need something a little more complicated and > I would be happy if someone could direct me to the right method. > > I would like to activate this functionality ONLY for some domains : > * Some (recipient) domains should accept emails from any IP > * Some other (recipient) domains should accept emails only from IP in > the list > > This is my working config to allow emails only from some IP, for all > domains : > > > 1. Added this in main.cf : > > smtpd_client_restrictions = check_client_access > cidr:/etc/postfix/access > > > > 2. Added this to /etc/postfix/access : > > 216.82.240.0/20 OK > > 213.213.213.213 REJECT > > > > 3. Command line : > > postmap access > > /etc/init.d/postfix reload > > How can I therefore decide for which domains this config is active and > for which domains all incoming IP are accepted ? Easy example, more can be found at http://www.postfix.org/RESTRICTION_CLASS_README.html (Note, you may wish to make the cidr access table name something more informative to you. Postfix does not require it to be called access). denybyip = check_client_access cidr:/etc/postfix/access smtpd_restriction_classes = denybyip smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, ..... check_recipient_access hash:/etc/postfix/domainipcheck /etc/postfix/domainipcheck: example.com denybyip example.net denybyip
From: Denis BUCHER on 23 Jul 2010 17:11 Hello Brian, Le 23.07.2010 16:49, Brian Evans - Postfix List a �crit : >> Yesterday I succeeded into blocking some IP (or more exactly allowing >> only some) to connect to one of my server and send email via SMTP. >> >> Now for another server, I need something a little more complicated and >> I would be happy if someone could direct me to the right method. >> >> I would like to activate this functionality ONLY for some domains : >> * Some (recipient) domains should accept emails from any IP >> * Some other (recipient) domains should accept emails only from IP in >> the list >> >> This is my working config to allow emails only from some IP, for all >> domains : >> >> > 1. Added this in main.cf : >> > smtpd_client_restrictions = check_client_access >> cidr:/etc/postfix/access >> > >> > 2. Added this to /etc/postfix/access : >> > 216.82.240.0/20 OK >> > 213.213.213.213 REJECT >> > >> > 3. Command line : >> > postmap access >> > /etc/init.d/postfix reload >> >> How can I therefore decide for which domains this config is active and >> for which domains all incoming IP are accepted ? > Easy example, more can be found at > http://www.postfix.org/RESTRICTION_CLASS_README.html > (Note, you may wish to make the cidr access table name something more > informative to you. Postfix does not require it to be called access). > > denybyip = check_client_access cidr:/etc/postfix/access > smtpd_restriction_classes = denybyip > smtpd_recipient_restrictions = > permit_mynetworks, > reject_unauth_destination, > .... > check_recipient_access hash:/etc/postfix/domainipcheck > > > /etc/postfix/domainipcheck: > > example.com denybyip > example.net denybyip Thank you very much ! I tried your suggestion, with a small change, "smtpd_client_restrictions" instead of smtpd_recipient_restrictions and it seems to be working very well. But now I have another problem, with that config, I have a problem, it's not possible to send emails anymore, because something is missing : we should allow any authenticated user to send emails ? Something like permit_auth_users ? Should I simply add "permit_sasl_authenticated, permit_mynetworks," BEFORE check_recipient_access hash:/etc/postfix/domainipcheck ? (I think it is correct because I tried and it seems to work, but I prefer to have your confirmation) Thanks a lot ! Denis
From: Noel Jones on 23 Jul 2010 22:40 On 7/23/2010 4:11 PM, Denis BUCHER wrote: > Hello Brian, > > Le 23.07.2010 16:49, Brian Evans - Postfix List a écrit : >>> Yesterday I succeeded into blocking some IP (or more >>> exactly allowing >>> only some) to connect to one of my server and send email >>> via SMTP. >>> >>> Now for another server, I need something a little more >>> complicated and >>> I would be happy if someone could direct me to the right >>> method. >>> >>> I would like to activate this functionality ONLY for some >>> domains : >>> * Some (recipient) domains should accept emails from any IP >>> * Some other (recipient) domains should accept emails only >>> from IP in >>> the list >>> >>> This is my working config to allow emails only from some >>> IP, for all >>> domains : >>> >>> > 1. Added this in main.cf : >>> > smtpd_client_restrictions = check_client_access >>> cidr:/etc/postfix/access >>> > >>> > 2. Added this to /etc/postfix/access : >>> > 216.82.240.0/20 OK >>> > 213.213.213.213 REJECT >>> > >>> > 3. Command line : >>> > postmap access >>> > /etc/init.d/postfix reload >>> >>> How can I therefore decide for which domains this config is >>> active and >>> for which domains all incoming IP are accepted ? >> Easy example, more can be found at >> http://www.postfix.org/RESTRICTION_CLASS_README.html >> (Note, you may wish to make the cidr access table name >> something more >> informative to you. Postfix does not require it to be called >> access). >> >> denybyip = check_client_access cidr:/etc/postfix/access >> smtpd_restriction_classes = denybyip >> smtpd_recipient_restrictions = >> permit_mynetworks, >> reject_unauth_destination, >> .... >> check_recipient_access hash:/etc/postfix/domainipcheck >> >> >> /etc/postfix/domainipcheck: >> >> example.com denybyip >> example.net denybyip > > Thank you very much ! I tried your suggestion, with a small > change, "smtpd_client_restrictions" instead of > smtpd_recipient_restrictions and it seems to be working very > well. > > But now I have another problem, with that config, I have a > problem, it's not possible to send emails anymore, because > something is missing : we should allow any authenticated user > to send emails ? Something like permit_auth_users ? > > Should I simply add "permit_sasl_authenticated, > permit_mynetworks," BEFORE check_recipient_access > hash:/etc/postfix/domainipcheck ? > > (I think it is correct because I tried and it seems to work, > but I prefer to have your confirmation) > Yes, that's the correct solution, but it must be in smtpd_recipient_restrictions. Make sure you leave smtpd_delay_reject at the default "yes" value for this to work correctly. -- Noel Jones
|
Pages: 1 Prev: Long term storage of undeliverable mail Next: milter still hungs (from time to time) |